Use the ModifyDomain API to modify the configuration of a CNAME-accessed domain - Web Application Firewall

Updates a CNAME-based domain name onboarded to Web Application Firewall (WAF).

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:ModifyDomain

update

DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}

DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Domain}-waf

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call the DescribeInstance operation to query the ID of the WAF instance.	waf_cdnsdf3****
Domain	string	No	The domain name whose configurations you want to modify.	www.aliyundoc.com
DomainId	string	No	The ID of the domain name.	www.aliyundoc.com-waf
Listen	object	Yes	The listening settings.
HttpsPorts	array	No	The HTTPS listening ports. The format is [port1,port2,...].
	integer	No	An HTTPS listening port.	443
HttpPorts	array	No	The HTTP listening ports. The format is [port1,port2,...].
	integer	No	An HTTP listening port.	80
Http2Enabled	boolean	No	Indicates whether HTTP/2 is enabled. This parameter is available only when HttpsPorts is not empty, which indicates that the domain uses HTTPS. Valid values: true: HTTP/2 is enabled. false (default): HTTP/2 is disabled.	true
CertId	string	No	The ID of the certificate.	123
SM2Enabled	boolean	No	Indicates whether SM certificates are enabled.	true
SM2CertId	string	No	The ID of the SM certificate. This parameter is required only when SM2Enabled is set to true.	123-cn-hangzhou
SM2AccessOnly	boolean	No	Indicates whether access is allowed only from SM clients. This parameter is available only when SM2Enabled is set to true. Valid values: true: Only SM clients can access the website. false: Both SM and non-SM clients can access the website.	true
TLSVersion	string	No	The TLS version. This parameter is available only when HttpsPorts is not empty, which indicates that the domain uses HTTPS. Valid values: tlsv1 tlsv1.1 tlsv1.2	tlsv1
EnableTLSv3	boolean	No	Indicates whether TLS 1.3 is supported. This parameter is available only when HttpsPorts is not empty, which indicates that the domain uses HTTPS. Valid values: true: TLS 1.3 is supported. false: TLS 1.3 is not supported.	true
CipherSuite	integer	No	The type of the cipher suite. This parameter is available only when HttpsPorts is not empty, which indicates that the domain uses HTTPS. Valid values: 1: all cipher suites. 2: strong cipher suites. You can select this value only when you set TLSVersion to tlsv1.2. 99: custom cipher suites.	2
CustomCiphers	array	No	The custom cipher suites. This parameter is available only when you set CipherSuite to 99.
	string	No	A custom cipher suite.	["xxx","ffas"]
FocusHttps	boolean	No	Indicates whether forced HTTPS redirection is enabled. This parameter is available only when the domain uses HTTPS but not HTTP. Valid values: true: Forced HTTPS redirection is enabled. false: Forced HTTPS redirection is disabled.	true
XffHeaderMode	integer	No	The method that WAF uses to obtain the real IP address of a client. Valid values: 0 (default): WAF obtains the client IP address from the TCP connection. This option is suitable if no Layer 7 proxies are deployed in front of WAF. 1: WAF obtains the client IP address from the first value of the X-Forwarded-For (XFF) header. 2: WAF obtains the client IP address from a custom header field.	2
XffHeaders	array	No	The custom header fields that are used to obtain the client IP address. The format is ["header1","header2",...]. Note This parameter is required only when you set XffHeaderMode to 2.
	string	No	A custom header field from which to retrieve the client IP.	Client-ip
IPv6Enabled	boolean	No	Indicates whether IPv6 is enabled. Valid values: true: IPv6 is enabled. false (default): IPv6 is disabled.	true
ProtectionResource	string	No	The type of the protection resource. Valid values: share (default): a shared cluster. gslb: a shared cluster with global server load balancing.	share
ExclusiveIp	boolean	No	Indicates whether an exclusive IP address is enabled. This parameter is available only when you set IPv6Enabled to false and ProtectionResource to share. Valid values: true: An exclusive IP address is enabled. false (default): An exclusive IP address is disabled.	true
HstsIncludeSubDomain	boolean	No	Indicates whether subdomains are included in the HTTP Strict Transport Security (HSTS) policy. Valid values: true: Subdomains are included. false: Subdomains are not included.	false
HstsPreload	boolean	No	Indicates whether HSTS preload is enabled. Default value: false. Valid values: true: HSTS preload is enabled. false: HSTS preload is disabled.	false
HstsMaxAge	integer	No	The time-to-live (TTL) of the HSTS policy. Unit: seconds.	365000
Redirect	object	Yes	The forwarding settings.
Backends	array	No	The IP addresses or domain names of the origin server. You can specify only one type of address. If you specify a domain name, only IPv4 is supported. IPv6 is not supported. IP addresses: The format is ["ip1","ip2",...]. You can specify up to 20 IP addresses. Domain names: The format is ["domain"]. You can specify up to 20 domain names.
	string	No	An IP address or domain name of the origin server.	1.1.XX.XX
Loadbalance	string	Yes	The load balancing algorithm for back-to-origin requests. Valid values: iphash: the IP hash algorithm. roundRobin: the round-robin algorithm. leastTime: the least time algorithm. This value is available only when you set ProtectionResource to gslb.	iphash
FocusHttpBackend	boolean	No	Indicates whether forced HTTP back-to-origin is enabled. This parameter is available only when you specify HttpsPorts. Valid values: true: Forced HTTP back-to-origin is enabled. false: Forced HTTP back-to-origin is disabled.	true
SniEnabled	boolean	No	Indicates whether back-to-origin Server Name Indication (SNI) is enabled. This parameter is available only when you specify HttpsPorts. Valid values: true: Back-to-origin SNI is enabled. false (default): Back-to-origin SNI is disabled.	true
SniHost	string	No	The value of the custom SNI field. If you do not set this parameter, the value of the Host field from the request header is used by default. You typically do not need to set this parameter unless your business requires a custom SNI value for back-to-origin requests. Note This parameter is available only when you set SniEnabled to true.	www.aliyundoc.com
RequestHeaders	array<object>	No	The custom header fields and their values for traffic marking. WAF adds these fields and values to the request headers when traffic passes through WAF. This helps backend services identify and collect statistics on WAF-processed traffic.
	object	No	The format is [*{"k":"key","v":"value"}]. key* specifies the custom header field, and value specifies the value of the field. Note If the custom header field already exists in the request, WAF overwrites its value with the specified value.
Key	string	No	The custom request header field.	aaa
Value	string	No	The value of the custom header field.	bbb
ConnectTimeout	integer	No	The connection timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 5.	120
ReadTimeout	integer	No	The read timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 120.	200
WriteTimeout	integer	No	The write timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 120.	200
CnameEnabled	boolean	No	Indicates whether public cloud disaster recovery is enabled. Valid values: true: Public cloud disaster recovery is enabled. false (default): Public cloud disaster recovery is disabled.	true
RoutingRules	string	No	The forwarding rules for a hybrid cloud deployment. This parameter is a string that contains a JSON array. Each element in the array is a struct that contains the following fields: rs: an array of strings. The back-to-origin IP addresses or CNAMEs. backupRs: an array of strings. The backup back-to-origin IP addresses or CNAMEs. This field is required. If you do not want to specify backup addresses, set it to []. location: a string. The name of the protection node. locationId: a long integer. The ID of the protection node.	[ { "rs": [ "1.1.XX.XX" ], "backupRs": [ "2.2.XX.XX" ], "locationId": 535, "location": "test1111" } ]
Keepalive	boolean	No	Indicates whether persistent connections are enabled. Valid values: true (default): Persistent connections are enabled. false: Persistent connections are disabled.	true
Retry	boolean	No	Indicates whether forwarding requests to the origin server are retried when the requests fail. Valid values: true (default): Requests are retried. false: Requests are not retried.	true
KeepaliveRequests	integer	No	The number of requests that can be reused in a persistent connection. Valid values: 60 to 1000. Default value: 1000. Note This parameter is available only when you enable persistent connections.	1000
KeepaliveTimeout	integer	No	The idle timeout for a persistent connection. Unit: seconds. Valid values: 1 to 60. Default value: 15. Note This parameter specifies the amount of time that an idle persistent connection can remain open.	15
XffProto	boolean	No	Indicates whether the X-Forwarded-Proto header is used to pass the protocol used by WAF to the origin server. Valid values: true (default): The WAF protocol is passed. false: The WAF protocol is not passed.	true
BackupBackends	array	No	The IP addresses or domain names of the backup origin server.
	string	No	The IP addresses or domain names of the backup origin server. You can specify only one type of address. If you specify a domain name, only IPv4 is supported. IPv6 is not supported. IP addresses: The format is ["ip1","ip2",...]. You can specify up to 20 IP addresses. Domain names: The format is ["domain"]. You can specify up to 20 domain names.	[ "1.1.XX.XX", "2.2.XX.XX" ]
XClientIp	boolean	No	Indicates whether WAF is allowed to overwrite the X-Client-IP header. Valid values: true (default): WAF is allowed to overwrite the header. false: WAF is not allowed to overwrite the header.	true
XTrueIp	boolean	No	Indicates whether WAF is allowed to overwrite the X-True-IP header. Valid values: true (default): WAF is allowed to overwrite the header. false: WAF is not allowed to overwrite the header.	true
WebServerType	boolean	No	Indicates whether WAF is allowed to overwrite the Web-Server-Type header. Valid values: true (default): WAF is allowed to overwrite the header. false: WAF is not allowed to overwrite the header.	true
WLProxyClientIp	boolean	No	Indicates whether WAF is allowed to overwrite the WL-Proxy-Client-IP header. Valid values: true (default): WAF is allowed to overwrite the header. false: WAF is not allowed to overwrite the header.	true
MaxBodySize	integer	No	The maximum size of a request body. Unit: GB. Valid values: 2 to 10. Default value: 2. Note This parameter is supported only by the WAF Ultimate edition.	2
Http2Origin	boolean	No	Indicates whether HTTP/2 is enabled for back-to-origin requests. Valid values: true: HTTP/2 is enabled for back-to-origin requests. false: HTTP/2 is disabled for back-to-origin requests.	true
Http2OriginMaxConcurrency	integer	No	The maximum number of concurrent HTTP/2 back-to-origin requests. Valid values: 1 to 512. Default value: 2.	128
ProxyProtocol	boolean	No	Indicates whether the Proxy Protocol is enabled to preserve client IP addresses. true: The Proxy Protocol is enabled. If you select this option, you can view the client IP address on the origin server. false: The Proxy Protocol is disabled.	false
BackendPorts	array<object>	No	The custom port mappings for back-to-origin.
	object	No	A custom port mapping for back-to-origin.
ListenPort	integer	No	The WAF listening port.	80
BackendPort	integer	No	The port of the origin server.	80
Protocol	string	No	The protocol of the listening port. Valid values: http: HTTP. https: HTTPS.	http
RegionId	string	Yes	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
AccessType	string	No	The access mode of the WAF instance. Valid values: share (default): onboarding by using a CNAME record. hybrid_cloud_cname: onboarding by using a hybrid cloud CNAME record.	share

Response elements

Element	Type	Description	Example
	object	The response structure.
RequestId	string	The ID of the request.	D7861F61-5B61-46CE-A47C-6B19160D****
DomainInfo	object	The information about the modified domain name.
Cname	string	The CNAME that is assigned by WAF to the domain name.	xxxxxcvdaf.****.com
Domain	string	The domain name whose configurations are modified.	www.aliyundoc.com
DomainId	string	The ID of the domain name.	www.aliyundoc.com-waf

Examples

Success response

JSON format

{
  "RequestId": "D7861F61-5B61-46CE-A47C-6B19160D****",
  "DomainInfo": {
    "Cname": "xxxxxcvdaf.****.com",
    "Domain": "www.aliyundoc.com",
    "DomainId": "www.aliyundoc.com-waf"
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Pullin.BusinessViolation	The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s.
400	Waf.Control.DomainAndDomainIdBothEmpty	domain and domainId cannot be empty at the same time.
400	Waf.Control.DomainAndDomainIdNotMatch	domain and domainId do not match.
400	Waf.Control.DomainIdIsIllegal	The input parameter, the domainId is illegal.
400	Waf.Pullin.BackupBackendConflict	The backup backend configuration conflicts.
400	Waf.Pullin.BackendPortIncompatible	The back-to-source port is incompatible with the listening port, listening protocol:%s, listening port:%s, back-to-source port:%s.
400	Waf.Pullin.Http2OriginMustOnKeepaliveEnable	When the HTTP2 origin is turned on, the keepalive must be turned on.	When the HTTP2 origin is turned on, the keepalive must be turned on.
400	Waf.Pullin.Http2OriginEnabledFocusHttpBackendForbidden	When HTTP2 origin is enabled, HTTP origin cannot be enabled.	When HTTP2 origin is enabled, HTTP origin cannot be enabled.
400	Waf.Pullin.BatchDnsScheduleCheckFailed	Batch dns scheduling is in progress, and access related operations are prohibited.	batch dns scheduling is in progress, and access-related operations are prohibited.
400	Waf.Pullin.InvalidMaxAgeWithPreload	HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000.	HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000
400	Waf.Pullin.InvalidIncludeSubDomainWithPreload	The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true.	The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true.
400	Waf.Pullin.InvalidCustomCiphers	Invalid custom cipher suite.	Invalid custom cipher suite.
400	Waf.Pullin.InvalidHttp2OriginWithProxyProtocol	http2Origin and proxyProtocol cannot be opened at the same time.	http2Origin and proxyProtocol cannot be opened at the same time.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.